HPE Community
Operating System - HP-UX
1824177 Members
3366 Online
109669 Solutions
New Discussion юеВ

PKI authentication script

 
SOLVED
Go to solution
Adam W.
Valued Contributor

тАО09-23-2008 12:00 PM

тАО09-23-2008 12:00 PM

PKI authentication script

ANYONE!!!!,
I need some major help. I use HP-UX 11.11 and I somehow need to come up with a script that can search and destroy authentication certs per user, in several directories, to be used when a user leaves. My issue is basically I walked into a mess here at my new job. We use PKI and when someone leaves, I need something that will search the entire server for their PKI certification file and remove it. PLEASE HELP!!!!!!!!!
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
20 REPLIES 20
James R. Ferguson
Acclaimed Contributor

тАО09-23-2008 12:13 PM

тАО09-23-2008 12:13 PM

Re: PKI authentication script

Hi Adam:

In general:

# find /path -xdev -type f -name "cert*" -exec rm -i {} +

...would search "/path" [and you could specify multiple directories here]; looking for files ('-f') whose basename matches the string "cert" followed by anything; and then removes the matching file.

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-24-2008 04:07 AM

тАО09-24-2008 04:07 AM

Re: PKI authentication script

James thanks for the reply. The issue is that when a user moves their certs to say, a generic account, they often change the name of the cert. So how would I go about using the above mentioned command but searching for a particular sting inside of the file? Does that make sense?
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
Ivan Krastev
Honored Contributor

тАО09-24-2008 04:17 AM

тАО09-24-2008 04:17 AM

Re: PKI authentication script

You can search for all cert files: *.key, *.pem ... and after that do a strings on this files to find the proper cert file.

regards,
ivan
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-24-2008 04:50 AM

тАО09-24-2008 04:50 AM

Re: PKI authentication script

Hi (again) Adam:

> So how would I go about using the above mentioned command but searching for a particular sting inside of the file?

If you want to use a pure shell script, something like this will work:

# cat .findit
#/usr/bin/sh
typeset DIR=$1
typeset PAT=$2
find ${DIR} -xdev -type f | while read FILE
do
[ $(file ${FILE} | grep -c ascii) -eq 0 ] && continue
grep "${PAT}" ${FILE} /dev/null
done
exit 0

...run as:

# ./findit /path string_to_match

This will report the names of files with the lines where the pattern matches. You can easily admend this to remove files.

The same thing can be done using Perl:

# perl -MFile::Find -e 'find(sub{push @f,$File::Find::name if -f $_ && -T _},".");@a=`grep -i $ARGV[0] @f`;print for sort @a' string_to_match

Either script confines itself to "test" (not binary) files.

Regards!

...JRF...

0 Kudos
Adam W.
Valued Contributor

тАО09-24-2008 05:25 AM

тАО09-24-2008 05:25 AM

Re: PKI authentication script

James,
Let me apologize for bothering you (again) I have never learned about scripting in any way. But I am a bit confused by you shell script entry. Would I simply paste what you wrote into a file? Also, on how to run it where you wrote "path" would I put like /home?
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-24-2008 05:42 AM

тАО09-24-2008 05:42 AM

Re: PKI authentication script

Hi (again) Adam:

> Let me apologize for bothering you (again) I have never learned about scripting in any way. But I am a bit confused by you shell script entry. Would I simply paste what you wrote into a file? Also, on how to run it where you wrote "path" would I put like /home?

No apology necessary. Copy and paste the shell script. All good scripts begin with an interpreter line. For the standard HP-UX shell that's:

#!/usr/bin/sh

...which tells the shell what interpreter to load to interpret (understand) the commands in the file.

Yes, in lieu of '/path' you would use '/home' or whatever directory you want to seach.

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-24-2008 05:49 AM

тАО09-24-2008 05:49 AM

Re: PKI authentication script

Thanks James!!! I will give this a shot real quick and let you know how it turns out. I need to do some studying BIG TIME. When it comes to scripting of any kind I am way behind.
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
Adam W.
Valued Contributor

тАО09-24-2008 06:28 AM

тАО09-24-2008 06:28 AM

Re: PKI authentication script

James when I run

perl -MFile::Find -e 'find(sub{push @f,$File::Find::name if -f $_ && -T _},".");@a=`grep -i $ARGV[0] @f`;print for sort @a' cac_ellertc I get the error "Syntax error at line 1 : `(' is not expected." Thoughts?
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-24-2008 06:39 AM

тАО09-24-2008 06:39 AM

Re: PKI authentication script

Hi Adam:

> I get the error "Syntax error at line 1 : `(' is not expected." Thoughts?

The perl script when pasted at the shell's command line should work just fine as posted. Did you do that or did you put it into a file of its own? If the later, please post the encapsulation.

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-24-2008 09:48 AM

тАО09-24-2008 09:48 AM

Re: PKI authentication script

I pasted it as is, with the exception of "String_..... there I listed the string I wanted to search for.
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-24-2008 11:12 AM

тАО09-24-2008 11:12 AM

Re: PKI authentication script

Hi (again) Adam:

You will see:

"Syntax error at line 1 : `(' is not expected."

...if the directory you are searching has a file named with the "(" character.

Use this variation, instead:

# cat findit.pl
#!/usr/bin/perl
use strict;
use warnings;
use File::Find;
my ( @a, @f );
find( sub { push @f, $File::Find::name if -f $_ && -T _ }, "." );
for my $file (@f) {
open( my $fh, "<", $file ) or die;
my $lines = do { local $/; <$fh> };
push( @a, $file ) if $lines =~ m/$ARGV[0]/i;
close $fh;
}
print "$_\n" for sort @a;
1;

...run as:

# cd /path && ./findit.pl string

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-25-2008 04:52 AM

тАО09-25-2008 04:52 AM

Re: PKI authentication script

James,
I get this error when I try to run the script.

# cd /home && findit.pl *.pub
ksh: findit.pl: cannot execute


There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-25-2008 05:10 AM

тАО09-25-2008 05:10 AM

Solution

Re: PKI authentication script

Hi Adam:

Use a full path to whereever you put the script. Then:

# chmod 555 /path/findit
# cd /home /path/findit pub

...Don't pass "*.pub". My script will match anything containing the string "pub".

Regards!

...JRF...
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-25-2008 05:11 AM

тАО09-25-2008 05:11 AM

Re: PKI authentication script

Hi :

Ooops: that should have been:

# chmod 555 /path/findit
# cd /home && /path/findit pub

NO POINTS for this correction.

Regards!

...JRF...

0 Kudos
Adam W.
Valued Contributor

тАО09-25-2008 07:43 AM

тАО09-25-2008 07:43 AM

Re: PKI authentication script

James, one last thing and I will leave you alone I promise. How would I make this script "bounce" off of the /etc/passwd file to search through ONLY users home directories, as some of the "home" directories might not only be /home/abcd? Does what I am asking make sense?
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-25-2008 09:08 AM

тАО09-25-2008 09:08 AM

Re: PKI authentication script

Hi (again) Adam:

> How would I make this script "bounce" off of the /etc/passwd file to search through ONLY users home directories, as some of the "home" directories might not only be /home/abcd?

Well, we could do this:

# cat ./matchit
#!/usr/bin/perl
use strict;
use warnings;
use File::Find;
my ( @a, @home, $home );
my $pattern = shift or die "Usage: $0 pattern\n";
open( FH, "<", "/etc/passwd" ) or die "Can't open /etc/passwd: ", $!, "\n";
while () {
($home) = ( ( split /:/, $_ )[5] );
next unless -d $home;
push( @home, $home ) unless $home =~ '^(/$|/var|/usr|/opt)'; #...adjust...
}
close FH;
find(
sub {
if ( -f $_ && -T _ ) {
my $file = $File::Find::name;
open( my $fh, "<", $file ) or die;
my $lines = do { local $/; <$fh> };
push( @a, $file ) if $lines =~ m/$pattern/i;
close $fh;
}
},
@home
);
print "$_\n" for sort @a;
1;

...run as:

# ./matchit somestring

Notice that the '/' directory and the '/var', /usr' and '/opt' filesystems are excluded from the search. They shouldn't be home directories for our purposes.

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-25-2008 09:22 AM

тАО09-25-2008 09:22 AM

Re: PKI authentication script

James,
Thanks for the reply. The issue is that several of our "generic" accounts have home directories all over the place. How would I NOT exclude those file systems?
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-25-2008 09:53 AM

тАО09-25-2008 09:53 AM

Re: PKI authentication script

Hi (again) Adam:

> The issue is that several of our "generic" accounts have home directories all over the place. How would I NOT exclude those file systems?

This is an easy adjustment. Let's eliminate accounts whose 'uid' isn't greater than 100 --- the HP standard point at which non-system accounts are added.

# cat ./matchit2.pl
#!/usr/bin/perl
use strict;
use warnings;
use File::Find;
my ( @a, @home, $home, $uid );
my $pattern = shift or die "Usage: $0 pattern\n";
open( FH, "<", "/etc/passwd" ) or die "Can't open /etc/passwd: ", $!, "\n";
while () {
( $uid, $home ) = ( ( split /:/, $_ )[2,5] );
next unless $uid > 100; #...adjust as needed...
next unless -d $home;
push( @home, $home );
}
close FH;
find(
sub {
if ( -f $_ && -T _ ) {
my $file = $File::Find::name;
open( my $fh, "<", $file ) or die;
my $lines = do { local $/; <$fh> };
push( @a, $file ) if $lines =~ m/$pattern/i;
close $fh;
}
},
@home
);
print "$_\n" for sort @a;
1;

...run as:

# ./matchit2.pl somestring

By the way, good code is best written when good definitions of a problem are first developed :-)

Regards!

...JRF...
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-25-2008 09:53 AM

тАО09-25-2008 09:53 AM

Re: PKI authentication script

Hi (again) Adam:

> The issue is that several of our "generic" accounts have home directories all over the place. How would I NOT exclude those file systems?

This is an easy adjustment. Let's eliminate accounts whose 'uid' isn't greater than 100 --- the HP standard point at which non-system accounts are added.

# cat ./matchit2.pl
#!/usr/bin/perl
use strict;
use warnings;
use File::Find;
my ( @a, @home, $home, $uid );
my $pattern = shift or die "Usage: $0 pattern\n";
open( FH, "<", "/etc/passwd" ) or die "Can't open /etc/passwd: ", $!, "\n";
while () {
( $uid, $home ) = ( ( split /:/, $_ )[2,5] );
next unless $uid > 100; #...adjust as needed...
next unless -d $home;
push( @home, $home );
}
close FH;
find(
sub {
if ( -f $_ && -T _ ) {
my $file = $File::Find::name;
open( my $fh, "<", $file ) or die;
my $lines = do { local $/; <$fh> };
push( @a, $file ) if $lines =~ m/$pattern/i;
close $fh;
}
},
@home
);
print "$_\n" for sort @a;
1;

...run as:

# ./matchit2.pl somestring

By the way, good code is best written when good definitions of a problem are first developed :-)

Regards!

...JRF...
0 Kudos
Adam W.
Valued Contributor

тАО09-25-2008 10:03 AM

тАО09-25-2008 10:03 AM

Re: PKI authentication script

James that one right there did it! James I bow to the Gods, Sir! You are the man. Thanks a million times over.
There are two types of people in the world, Marines and those who wish they were.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.